With numerous improvements to the logging infrastructure in Forefront TMG 2010, logging is pretty much a “set it and forget it” operation these days. Forefront TMG firewall administrators typically don’t have to worry about much with regard to logging, with the possible exception of defining a data retention policy to ensure that corporate security policy is adhered to. However, there are a few things that can be done to ensure that logging and reporting are performing at the highest levels.

Keep Log Files on a Separate Disk – Forefront TMG configuration best practices dictate that log files should be stored on a separate disk from the system partition. For optimum performance, the log files should be stored on a separate physical disk, and ideally one that is very high performing (e.g. SSD or SAS). If you do not have the option of dedicating an exclusive disk for TMG log files, at a minimum you should store the log files on a separate partition. In addition, ensure that the disk/partition that stores the log files is defragmented on a regular basis.

Check Firewall and Web Proxy Log Settings – To optimize logging performance, select only the logged fields that are required to meet your security requirements. To make changes to these settings, open the Forefront TMG 2010 management console and highlight the Logs & Reports node in the navigation tree. Next, click Configure Firewall Logging in the tasks pane and then select the Fields tab. Review each field and deselect any fields you don’t require. Reducing the number of fields that are logged will result in less demand on available system resources and improved performance.

Keep SQL Updated – It is important not to overlook service packs and updates for the local instance of SQL 2008 Express. If you are using Windows Update to manage your TMG firewall, you may be missing important SQL updates as they are listed as optional updates.

Optimize TMG Reporting Server – When multiple Forefront TMG 2010 Enterprise edition firewalls are configured in a clustered array, one member of the array is designated as the array reporting server. This server is responsible for aggregating and summarizing log data from the other members of the array in addition to storing and generating reports requested by an administrator. If you’re planning to use the native reporting tools (in spite of the limitations they impose) make sure that the TMG firewall designated as the reporting server has the most available system resources. To configure a TMG array reporting server, highlight the Logs & Reports node in the navigation tree. Select the Reporting tab in the details pane, and then click Configure Reporting Settings in the tasks pane. Choose the Report Server tab and select the best server in the array to server as the report server.

In addition to the regular care and feeding of your Forefront TMG 2010 firewall, paying special attention to the tips listed above will ensure that your logging and reporting will always be running at its peak.

Additional resources:

Web Proxy Log Fields – http://msdn.microsoft.com/en-us/library/ff827532
Firewall Log Fields – http://msdn.microsoft.com/en-us/library/ff824015